Questions Flashcards
AWS service encryption enabled by default
CloudTrail Logs
AWS Region as minimum how many AZs
3
AZs have minimum how many Data Centres
1
Fault Tolerance is achieved by Scale Up or Scale Out
Scale Out
Three best practice areas for Reliability in the cloud
Foundations(AWS Config - monitors and records your AWS resource configurations),
Change Management(AWS CloudTrail, account activity),
Failure Management(CloudWatch - built for DevOps engineers, developers, site reliability engineers (SREs), and IT managers for monitoring applications and performance)
AWS Trusted Advisor
Provision your resources following AWS best practices
Cost optimization, security, fault tolerance, service limits, and performance improvement (CSSPF)
Amazon GuardDuty
Threat detection service that monitors malicious activity and unauthorized behavior
Amazon Inspector
Security Assessment - Assesses applications for exposure, vulnerabilities, and deviations from best practices
AWS CloudWatch
For devops engineers
AWS CloudTrail
For organization for governance,compliance and audit of AWS accounts
AWS Basic Support
Access to the core Trusted Advisor checks
AWS Health Dashboard
AWS Developer Support
Email-based technical support during business hours
Access to the core Trusted Advisor checks from Service Quota and basic Security checks
AWS Enterprise
Customers with concierge-like service
24x7 technical support from high-quality engineers
Designated Technical Account Manager
AWS Enterprise On-Ramp Support
Expert guidance to grow and optimize in the Cloud
Business Critical downtime < 30 mins
AWS Business Support
24x7 phone, email and chat access to technical support
Business Critical downtime < 15 mins
What provides protection at Amazon API Gateway, Amazon CloudFront or an Application Load Balancer
AWS WAF
What provides protection at Network layer and Transport layers
AWS Sheild
Receive alerts when the reservation utilization falls
AWS Budgets
Allows marketers and developers to deliver customer-centric engagement experiences
Amazon Pinpoint
Active-active configuration across regions using Managed NoSQL DB
Amazon DynamoDB with global tables
AWS Partner Network (APN)
Global partner program for technology and consulting businesses
AWS Systems Manager
Gives you visibility and control of your infrastructure on AWS
Unified user interface so you can view operational data from multiple AWS services
Enables to running commands, managing patches, and configuring servers across AWS Cloud as well as on-premises
Estimate Cost
AWS Pricing Calculator
Comprehensive cost report while running AWS services
AWS Cost and Usage report
High level cost report while running AWS services with historical data
AWS Cost Explorer
Set alert for cost and usage(utilization) limits
AWS Budgets
Dedicated Host vs Instance
BYOL(Bring your own license, like server-bound software licenses) is supported in dedicated host only
Allows to consistently deploy your instance to the same physical server is supported in dedicated host only
AWS encryption SDK
Client-side encryption library that is separate from the language–specific SDKs
SSE-S3 vs SSE-KMS
SSE-S3 = Server-side encryption with Amazon S3-Managed Keys (free)
SSE-KMS = Server-side encryption with AWS KMS keys (additional charges and has audit trail)
Encryption is enabled by default for all the objects written to Amazon S3. True or False?
True
Geolocation vs Geoproximity routing policy
Route traffic base on user location vs location of your resources
Multivalue answer routing
Upto 8 healthy records
In most cases there is no charge for inbound data transfer or data transfer between other AWS services within the same region. True or False?
True
AWS Endpoint vs AWS PrivateLink
At consumer level vs at service provider level. Both work together to provide private connection to AWS services within AWS.
However AWS PrivateLink also provides private connection of AWS services to on-premises applications
AWS site to site VPN vs Direct Connect
Connect on premise to AWS services over public internet
Vs
Connect on premise to AWS services over private network
CAF - Business perspective what are the roles?
CEO, CFO, COO, CIO, and CTO
Cloud investments accelerate your digital transformation
CAF - People perspective what are the roles?
CIO, COO, CTO, cloud director, and cross-functional and enterprise-wide leaders
(cross-functional and enterprise-wide leaders)
Bridge between technology and business
CAF - Governance perspective what are the roles?
CIO, CTO, CFO, CDO, and CRO
(CDO and CRO)
Orchestrate your cloud initiatives while maximizing organizational benefits and minimizing transformation-related risks
CAF - Platform perspective what are the roles?
CTO, technology leaders, architects, and engineers
(architects, and engineers)
Build an enterprise-grade, scalable, hybrid cloud platform
CAF - Security perspective what are the roles?
CISO, CCO, internal audit leaders, and security architects and engineers
(CISO, CCO)
Achieve the confidentiality, integrity, and availability of your data and cloud workloads
CAF - Operations perspective what are the roles?
infrastructure and operations leaders, site reliability engineers, and information technology service managers
(site reliability engineers and IT service managers )
Ensure that your cloud services are delivered at a level that meets the needs of your business
Cloud Transformation
Journey
Envision(demonstrating) ->Align(gap analysis)->Launch(delivering pilot)->Scale(expanding pilots)
(EALS)
“No upfront payment option with the standard 1-year term”
“All upfront payment option with the standard 1-year term”
“No upfront payment option with the standard 3-years term”
“Partial upfront payment option with the standard 3-years term”
What is % saving in each?
36%
40%
56%
59%
AWS SQS and SNS
Used to decouple and scale microservices, distributed systems, and serverless applications
AWS Step Functions
Coordinate multiple AWS services into serverless workflows
AWS Glue
ETL service
VPC Endpoint - Types
Interface(IP based AWS S3 and Others) and Gateway(Route table based supported by AWS S3 and DynamoDB)
SG has both Allow and Deny rules. True or False?
False, only Allow
NAT ACL has both Allow and Deny rules. True or False?
True
NAT ACL works at?
Subnet level. Its stateless
Security Group works at?
Instance(VPC) level
NAT Gateway/Instances
Allow private subnet instaces to connect to internet or other AWS Services and restrict inbout internet traffic into subnet
Services that have reservations to optimize cost
EC2, DocumentDB, RDS, ElastiCache reserved nodes and RedShift
PaaS example
EBS
IaaS example
EC2
SaaS
AWS Rekognition
AWS EMR
Bigdata
AWS Elastic Bean Stock
Deploying and scaling web applications and services
High-performance hardware disks that provide fast I/O performance
Instance Store
Object storage service
AWS S3
High-performance block storage service
Elastic Block Storage
Elastic NFS file system
EFS
Amazon Standard S3 IA vs Intelligent Tiering
Similar except IT is more expensive
OS vulnerabilities
AWS Inspector
PII
AWS Macie
Threat Detection
AWS GuardDuty
DDoS
AWS Shield
Architectural guidance contextual to your specific use-cases. Which support?
Business
Architectural guidance contextual to your application. Which support?
Enterprise
Architectural guidance contextual to your application (one per year). Which support?
Enterprise on-Ramp up
General architectural guidance as you build and test. Which support?
Developer
Amazon API Gateway
For developers to create, publish, maintain, monitor, and secure APIs at any scale
AWS Shield Advanced on which services?
EC2, ELB, CloudFront, Route53, Global Accelerator
Amazon OpenSearch Service
interactive log analytics, real-time application monitoring, website search.
Derived from Elasticsearch
Amazon S3 vs EFS
S3 does not support file append like EFS
AWS Compute Optimzer for which AWS services
EC2, ASGs, EBS and Lambda Functions
AWS Neptune
Build and run graph applications
6 Pillars
Operational Excellence - Focuses on running and monitoring systems, and continually improving processes and procedures
- Ops as Code, Anticipate and Learn from failure, Use managed services
Performance Efficiency - Focuses on structured and streamlined allocation of IT and computing resources
-Go global in mins, use adv technologies, serverless
Reliability - Focuses on workloads performing their intended functions and how to recover quickly from failure to meet demands
-Stop guessing capacity, Recovery from failure, scale out, manage change through automation
Cost Optimization - Focuses on avoiding unnecessary costs
Security - Focuses on protecting information and systems
Sustainability - Focuses on minimizing the environmental impacts of running cloud workloads
AWS Region is differnt from location - True or False?
False
AWS AZs vs Local Zones
AZs are isolated locations within a region will all AWS services
Local Zones are an extension of a region, providing low-latency services to specific geographic areas, enhancing availability beyond traditional regions. They provide more services than edge locations but less than a region or AZ
For connecting On premise DC to VPC on AWS, what are the options?
- AWS Direct connect
- Transit Gateway
- Site-to-Site VPN
AWS Private Link vs VPC Peering
AWS private link allows connecting to AWS services or services in other VPCs privately like a local netowork bypassing the public Internet. If a VPC Endpoint is added to the your VPC then using private link the other VPCs can also use the services of your VPC. Common use cases are Accessing AWS Services, Third-Party Integrations, Multi-account Connectivity
VPC Peering enables connectivity between two VPCs within the same AWS region or across different regions. It allows instances in one VPC to communicate directly with instances in another VPC using private IP addresses. Common use cases Multi-tier Applications, shared services such as logging, monitoring, or security, Disaster Recovery
Support Plans
Developer Business Enterprise-on-ramp Enterprise
<12 hrs < 1hr <30 mins <15 mins
- TAMs 1 TAM
Business 24/7 24/7 24/7
hours email
access
- AWS Sup API AWS Sup API AWS Sup API
Incident detection for
additional fee
AWS Managed Srvs AWS Managed Srvs
for additional fee for additional fee
re:Post:Private re:Post:Private
for additional fee for additional fee
Access to Access to architectural
architectural reviews
reviews
MFA devices
- U2F security key - Plug into a USB port on your computer. Authenticated by tapping the device instead of manually entering a code
- Virtual Multi-Factor Authentication (AWS MFA) device - Software app that runs on a phone or other device and emulates a physical device. Authenticated by typing a valid code from the device
- Hardware Multi-Factor Authentication (AWS MFA) device - Hardware device that generates a six-digit numeric code. Authenticated by typing a valid code from the device
- SMS text message-based Multi-Factor Authentication (AWS MFA) - IAM user settings include the phone number of the user’s SMS-compatible mobile device. Authenticated by OTP
Disaster Recovery Plans
Automated backups - Same region (Recovery Time Objective is lowest)
Manual snapshots - Cross region (Recovery Point Objective is lowest)
Read replicas - Cross region
Amazon EC2 instance user data and metadata
Bootstrap script or configuration parameters while launching your instance
Metadata is data about your instance that you can use to manage the instance
AWS Global Accelarators connect to what?
Network Load Balances(non HTTP traffic), Application Load Balances and EC2
S3 pricing
There are four cost components to consider for S3 pricing –
storage pricing;
request and data retrieval pricing;
data transfer and transfer acceleration pricing;
and data management features pricing.
Under “Data Transfer”, You pay for all bandwidth into and out of Amazon S3, except for the following:
(1) Data transferred in from the internet,
(2) Data transferred out to an Amazon Elastic Compute Cloud (Amazon EC2) instance, when the instance is in the same AWS Region as the S3 bucket,
(3) Data transferred out to Amazon CloudFront (CloudFront).
AWS Web Application Firewall (AWS WAF) lets you monitor the HTTP and HTTPS requests that are forwarded to….
- Application Load Balancer
- Amazon CloudFront
- Amazon API Gateway
Billing alarms
CloudWatch
AWS Shield Advanced provides protection for the following AWS Services
- EC2,
- Elastic Load Balances,
- Amazon CloudFront,
- Amazon Route 53,
- AWS Global Accelerator
Which of the following is available across all AWS Support plans
AWS Health Dashboard – Your account health
Which of the following AWS services offers Lifecycle configuration for cost-optimal storage
S3
GeoLocation Vs Geoproximity routing policy Vs Latency?
GeoLocation - Proximity to user’s location
GeoProximity - Proximity to resource’s location
Latency - Proximity to region
TCO Vs Pricing Calculator
TCO Calculator: Estimates the total cost of moving resources from on-premises to Cloud, considering various factors like infrastructure, maintenance, and migration costs
Pricing Calculator: A tool for calculating the costs of running specific workloads on Azure or AWS, providing detailed estimates based on resource configurations
TCO Calculator: Focuses on the broader picture, encompassing overall expenses related to migration and ongoing operations.
Pricing Calculator: Provides granular insights into the costs associated with specific resources, facilitating budgeting and cost optimization
Which one allows to bid for unused instanced by other users?
SPOT
Key components of S3 Glacier
- Access Policy
- Archive
- Vault
Predictable monthly cost - EC2 or LightSail?
LisghtSail
Minimum AZs per region
3
Routing algorithm for ALB
ALB selects target based on the routing rule then selects node using round robin strategy
The classic ALB using round robin for TCP listners only
Bucket Policies and ACLs wrt to S3
Bucket Policies control access to entire bucket and ACLs to individual object within the bucket
URL structure of S3
https.<bucket>.<S3>/<object></object></S3></bucket>
iAM user access options
Programmatic access using command line
SDK access
Management concole access
Amazon Glacier components
Archive, Vault(Groups of archives) and Access Policies(to control access to objects within archive and vaults)
Identity Federation
Users can access AWS services using their Facebook, Google, Instagram or Active Directory credentials
- Federation with IAM Identity Center
- Federation with IAM
- Federation with Amazon Cognito identity pools
Database migration services
Can migrate to and from AWS and on-premise
Can migrate fro EC2 to RDS
Can migrate to Redshift and DynamoDB
VPC Peering some facts
It can happen across regions and between different AWS accounts
It also used to store data for fault tolerance, DR and redundnacy
Traffic between different regions is encrypted by default but not encrypted by defualt within same region
Encryption at Rest
By Customer, By S3, By KMS
Monitoring capability is with KMS only after intergrating with CloudTrail
TCO
Recommendations on resource types based on operational best practices best practices and user inputs
Macie facts
Discover, classify and protect
1. It reads through user data and identify sensitive info using AI, ML and NLU
2. It can’t prevent the unauthroized access to the information but can alert the admin using CloudTraril
3. Its not a fully managed service but needs to be configured
DataSync
Transfer from on-premise to AWS storage services
Between AWS storage services
Between public clouds to AWS storage services
Its for continuous synching vs DMS which is for Database migration only
OS Patch management, whoes responsibility?
EC2 - Customer
DynamoDB - AWS
Athena some facts
Serverless query service
Interactive query service that makes it easy to analyze unstructured, semi-structured, and structured data stored in Amazon S3 directly in Amazon Simple Storage Service (Amazon S3) using standard SQL
Compatible with CSV, JSON, AVRO or columnar data formats such as Apache Parquet and Apache ORC,
DynamoDB Backups, who configures and who takes backup?
Customer configures and AWS takes backups
AppSync
Simplify application development with GraphQL APIs by providing a single endpoint to securely query or update data from multiple databases, microservices, and APIs
Consolidate data from multiple databases, APIs, and microservices in a single network call, from a single endpoint, abstracting backend complexity
Amplify
Facilitate the development and deployment of web and mobile applications. Quickly build full-stack applications
Security Hub
AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you assess your AWS environment against security industry standards and best practices
AWS Firewall Manager
Simplifies your administration and maintenance tasks across multiple accounts and resources for a variety of protections, including AWS WAF, AWS Shield Advanced, Amazon VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall. It does not work with Network ACLs
Security Hub collects security data across AWS accounts, AWS services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues
SCPs
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.
Not enabled by default
SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines
SCPs alone are not sufficient in granting permissions to the accounts in your organization. No permissions are granted by an SCP. An SCP defines a guardrail, or sets limits, on the actions that the account’s administrator can delegate to the IAM users and roles in the affected accounts.
The administrator must still attach identity-based or resource-based policies to IAM users or roles, or to the resources in your accounts to actually grant permissions.
The effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies
If an instance store reboots, does the data in the instance persist?
Yes
Which tool lets you visualise and manage your AWS costs?
AWS Cost Explorer
Containers are an essential concept in microservice architectures.
True
Which AWS service reduces network latency?
CloudFront
Which Amazon S3 storage class has the lowest cost?
S3 Glacier Deep Archive
What are Edge Locations?
Data centers that deliver data fast to the users
Which perspective of the AWS Cloud Adoption Framework focuses on minimizing the business risks?
Governance Perspective
Which AWS service helps you build text chatbots?
Amazon Lex
AWS Elastic Block Store Snapshot is:
Incremental data backup
What is Service Quotas in AWS?
Quotas, also referred to as limits in AWS services, are the maximum values for the resources, actions, and items in your AWS account
Scope of VPC
A VPC can span all Availability Zones within an AWS Region
AWS Resource Explorer
Facilitates resource search and discovery within AWS accounts
AWS Knowledge Center
Available through AWS re:Post, offers official articles and videos addressing common questions and requests from AWS customers
AWS CloudShell
Browser-based shell provided by Amazon Web Services (AWS) that allows users to run scripts with the AWS Command Line Interface (CLI) and experiment with service APIs
Individual Amazon S3 objects range?
0 to 5TB
Route table components
Destination (IP address CIDR range) = The destination IPs to which the instances in the VPC is sending traffic to. It value is 0.0.0.0/0 for IPv4 and ::/0 for IPv6
Target (local or gateway ID or network instance) = The gateway/NAT through which the traffic should pass for the list of IPs
AWS Tape Gateway
You can use it to directly connect to your tape drive on premise and using AWS Storage Gateway backup the data on Amazon S3 Tape Library w/o any code changes
Securing EC2
- SSH (IP is public and key stored on accessing machine)
- EC2 in private subnet, which talks to bastion host on public subnet which inturn talks to user over internet (key stored on accessing machine)
- Add MFA on access
- SSM (No need of bastion host. EC2 in private subnet with access to internet using NAT or VPC endpoint)
Encryption of Data at Rest by default
S3
ECR
Migration strategies
Rehosting — Otherwise known as “lift-and-shift”
Replatforming — I sometimes call this “lift-tinker-and-shift”
Repurchasing — Moving to a different product
Refactoring / Re-architecting
Retire — Get rid of
Retain — Usually this means “revisit” or do nothing (for now)
Amazon WorkLink
Fully managed service introduced by AWS that facilitates secure, one-click access to internal corporate websites for employees
Secure access from iOS and Android phones to internal websites and web apps, simplifying the user experience with a single-step process
Generates webpage content in the AWS cloud and transfers it to the user’s phone
AWS Service Catalog
Create and manage catalogs of IT services and Self-service discovery and launch
Users browse listings of products (services or applications) that they have access to, locate the product that they want to use, and launch it all on their own as a provisioned product
Deployment of multi-tier application architectures
AWS CloudShell
AWS CloudShell is a browser-based shell that allows users to run scripts with the AWS Command Line Interface (CLI) and experiment with service APIs
AWS Application Composer
Visual designer that you can use to build your serverless applications from multiple AWS services
Amazon Timestream
Time Stream DB for IoT
Amazon S3 Object Lock
Prevent the deletion or overwriting of objects in Amazon S3 for a specified duration or indefinitely
